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Abstract — This Multi-receiver signcryption is a new 
cryptographic primitive that simultaneously fulfils both the 
functions of signature and multi-receiver encryption. 
Generalized Multi-Receiver signcryption can provide 
authenticity or confidentiality separately under specific inputs. 

Generalized signcryption (GSC) scheme can adaptively 
work as an encryption scheme, a signature scheme or a 
signcryption scheme with only one algorithm. It is very suitable 
for storage-constrained environments. In this paper, we analyze 
a multi-receiver GSC scheme, and show that it cannot achieve 
indistinguishability -adaptive chosen ciphertext attack 
(IND-CCA2) secure in the pure encryption mode and hybrid 
encryption mode. We further propose an improved scheme, 
which can be proved to be IND-CCA2 secure and existentially 
unforgeable-adaptive chosen message attack (EUF-CMA) under 
computational Diffie-Hellman (CDH) assumption. 


Index Terms — Generalized signcryption, Multi-receiver 
generalized signcryption, Adaptive chosen cipher text attack, 
Adaptive chosen message attack, randomness reusing. 

I Introduction 

In 1997, Zheng [1] proposed a novel concept named 
signcryption. The purpose of signcryption is to perform 
encryption and signature simultaneously, at lower 
computational costs and communication overheads than the 
usual sign-then-encrypt approach. Since then, many 
signcryption schemes have been proposed. In Asiacrypt 2011, 
Paterson et al. [2] revisited the problem where a single 
keypair is used for both encryption and signature primitives. 
This usage can reduce storage requirements, the cost of key 
certification and the time taken to verify certificates. These 
savings may be critical in embedded systems and low-end 
smart card applications.However, there is the question of 
whether it is secure to use the same keypair in two or more 
different primitives. The formal study of the security of key 
reuse was initiated by Haber et al. [3] in 2001, and followed 
by [4, 5, 6, 7]. Paterson et al. [8] gave examples, where 
encryption and signature schemes are individually secure but 
become completely insecure when a keypair is shared 
between them. They concluded that such scheme must be 
designed specially, and they gave a general construction and a 
more efficient concrete construction based on pairings, where 
encryption and signature schemes share the same keypair. 
They also proposed a scheme implementing the functionality 
of signcryption, signature and encryption using a single 
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keypair. However, sometimes we need confidentiality and 
authenticity simultaneously, and sometimes we just need them 
separately. To achieve this special requirement, we can 
naively use three different schemes: an encryption scheme, a 
signature scheme, and a signcryption scheme. Nevertheless, 
the naive approach needs three keypairs, thus increases the 
burdens of the key management. 

In order to realize signcryption, signature, and 
encryption functions by using one keypair and one algorithm, 
so as to save storage spaces and simplify key management, 
Han et al. [9] in 2006 introduced a new concept of generalized 
signcryption (GSC). GSC scheme can produce the specific 
outputs according to the inputs of identities of the sender and 
the receiver adaptively, that is, if the input of the sender is 
vacant, it becomes an encryption scheme, if the input of the 
receiver is vacant, it becomes a signature scheme, if the inputs 
of the sender and the receiver are not vacant, it becomes a 
signcryption scheme, if the inputs of the sender and the 
receiver are all vacant, it takes no secure policy. Its main merit 
is the storage requirements for three schemes (signcryption, 
encryption and signature) and three key pairs can be reduced 
to one scheme and one key pair. Thus, it can realize using one 
keypair and one algorithm in three different cryptographic 
primitives. It is very suitable for storage constrained 
environments, like the embedded systems, smart cards and 
wireless sensor networks. 

Based on ECDSA [10] Han et al. [9] first proposed 
an efficient GSC scheme. Wang et al. [11] gave the first 
security model and revised Han et al.'s [9] scheme. In 2008, 
Lai et al. [12] gave the first identity-based generalized 
signcryption (ID-GSC) scheme and a security model of 
ID-GSC. In 2010, Yu et al. [13] pointed out Lai et al.'s [12] 
security model is not complete, and they improved it and 
proposed a new scheme which is secure in this model. Later, 
Kushwah et al. [14] simplified Yu et al.'s [13] security model 
and proposed another efficient ID-GSC scheme. Moreover, a 
lot of other GSC schemes have also been given out, including 
PKI-based (public key infrastructure) schemes [15, 16, 17], 
identity-based schemes [18, 19], certificateless schemes [20, 
21, 22, 23], multi-PKG (private key generator) scheme [24, 
25] and schemes in the standard model [24, 22, 26]. However 
all of the above mentioned schemes are suitable for one 
receiver scenario. Baudron et al. [27] and Bellare et al. [28] 
independently formalized the concept of multi-receiver public 
key encryption. Their main result is that the security of public 
key encryption in the single receiver setting implies the 
security in the multi-receiver setting. Hence, one can 
construct a semantically secure multi-receiver public key 
encryption scheme by simply encrypting a message n times, 
obviously it is inefficient. Later, a novel technique called 
randomness reuse [29] was presented to enhance the 
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efficiency. Randomness reuse is a novel technique to improve 
the efficiency of a multireceiver encryption scheme, but not 
all randomness reuse-based multi-receiver encryption 
schemes are secure. Bellare et al. [30, 32] proved that if the 
underlying basic scheme is reproducible and semantically 
secure, then the corresponding randomness reuse based 
multi-receiver encryption scheme is semantically secure too. 
Randomness reuse technique is also introduced to 
signcryption [33] and generalized signcryption [35] 
scenarios. Han et al. [34] proved if the underlying basic GSC 
scheme is reproducible and semantically secure, then the 
corresponding randomness reuse-based multi-receiver GSC 
scheme is semantically secure too. 

In multi-receiver GSC setting, Han [15] first 
proposed a multi-receiver GSC scheme, but his scheme is a 
trivial n-receiver scheme that runs GSC repeatedly n times, 
which obviously is very inefficient. In 2008, Yang et al. [35] 
proposed a multi-receiver GSC scheme which used the 
technique of randomness reuse, but they did not give the 
security proof of their scheme. In 2009, Han et al. [34] 
proposed a multi-receiver GSC scheme, their scheme is 
very efficient and they applied it for secure multicast in 
wireless network. In 2014, Zhou [36] proposed the first time 
an identity-based multi-receiver GSC scheme which also used 
the technique of randomness reuse. 

In this paper, we will show that Han et al.'s [34] 
multi-receiver GSC scheme are insecure, their basic GSC 
scheme is not IND-CCA2 [37] secure in the pure encryption 
mode, and thus their multi-receiver GSC scheme is not 
IND-CCA2 secure in the pure encryption mode and hybrid 
encryption mode. Then we give an improvement of their 
scheme, interestingly, the improved scheme is more secure 
than the original one while still maintaining its efficiency. The 
confidentiality and existential unforgeability of the improved 
scheme can be proved under the CDH assumption. Compared 
with other multi-receiver signcryption schemes, our improved 
scheme enjoys shorter ciphertext length and less operation 
costs like the original scheme. 

II. Framework of Multi-receiver Generalized 
Signcryption Scheme 

A multi-receiver GSC scheme consists of the following three 
algorithms: 

1. Setup Algorithm: Given a secure parameter k, it 
generates the system public parameters. (SK X , PK X ) <— 
Gen(X,l k ) is a key generation algorithm and produces 
the private key SK X and the public key PK X for the user 
X. 

2. Generalized Signcryption Algorithm: o<— (M, SK k , 

PK R1 , PK R2 PK Rn ) is a probabilistic algorithm, and 

takes the private key SK s of the sender S, the public keys 
PK Ri (i = l,..,n) of the receivers and messages M = m, (i 
'** l,..,n) o. There are 5 scenario in this algorithm: 

a. Pure Signcrytpion mode: If the sender and all the 
receivers are determined, it runs in this mode, the 

ciphertext is GSC(M, SK s , PK R1 , PK R2 , PK Rn ) = 

signcrypt(M, SK s , PK R! , PK R2> PK Rn ). 

b. Pure Signature Mode: If all the receiver are vacant and 
the sender is determined, it runs in this mode, the 


ciphertext is o<— GSC(M, SK s , <|) R1 , (j) R2 <f)Rn) = 

sign(M, SK s ). Here ()> means the user is vacant. 

c. Pure Encryption Mode: If the sender is vacant and all of 
the receivers are determined, it runs in this mode, the 

ciphertext is cn— GSC(M, (|> s , PK Rh PK R2i PK Rn ) = 

encrypt(M, PK R1 , PK R2 , PK Rn ). 

d. Hybrid Signcryption Mode: If some of the receivers are 
vacant, and the rest of receivers are determined, it runs 
in this mode. For the determined receivers, the 
ciphertext c is a signcryption ciphertext and for the 
vacant receivers, the ciphertext o is a signature. 

e. Hybrid Encryption Mode: If some of the receivers and 
sender are vacant, it runs in this mode. For the 
determined receivers, the ciphertext c is an encryption 
ciphertext and for the vacant receivers, the ciphertext o 
is a plain text, it takes no secure policy. 

3. De-generalized Signcryption Algorithm: m ; U 1 <— 
DGSCfo, SK r , PK s ) is a deterministic de- generalized 
signcryption algorithm and takes the public key PK S of 
the sender S, the private key SK R , of the receiver R,, and 
the ciphertext a, e o(i= 1 ,..n), to return the message m, or 
an valid symbol 1. There are five scenario in this 
algorithm: 

a. Pure Signcryption Mode: DGSQo^ SK R| , PK S ) = 
unsigncrypt (c K SK R| , PK S ). 

b. Pure Signature Mode: DGSC ((Tj <f> Rl , PK S ) = verify (o,, 
PK S ). 

c. Pure Encryption Mode: DGSCfo, SK R , <|> s ) = decrypt (o, 
SK Ri ). 

d. Hybrid Signcryption Mode: For the determined 
receivers, DGSCfOi, SK Rl , PK S ) = unsigncrypt (c K SKr,, 
PK S ) and for the vacant receivers, DGSC(o, (j) Ri , PK S ) = 
verify fa PK S ). 

e. Hybrid Encryption Mode: For the determined receivers, 
DGSC(a ij SK Rl , <j) s ) = decrypt (a u SK Rl ) and for the 
vacant receivers, the ciphertext is plain text, it takes no 
secure policy . 

For consistency, we require DGSC(GSC(M, SK s , PK R1 , 
PKr 2, PK Rn ) SK r , PK s ) = m„ for i=l,..,n, M= mi. 

If all the identities are vacant, it takes no secure 
policy. Above five modes are transparent to 
applications, namely, the algorithm can produce the 
specific outputs according to the inputs of identities of 
the sender and the receivers adaptively. Applications 
need not care about which mode should be taken. 

III. Han et al’s Multi-receiver General Signcryption 
Scheme 

A Sender S sends a z bits message vector M = { m ; | m, 
e[0,l} z , i = l,..,n}to intended receivers Ri, (i = l,..,n), and 
then broadcasts the aggregated signcryption text. A receiver 
Ri gets his signcryption text and designcrypts it. 

Setup: Let k be a secure parameter, q be a k bits prime, and Gi 
be a bilinear group with order q. P is a generator of group Gi. 
Elements on Gi have the length of 1 bits. Hp [0,1 } z X Gi — > Gi 
and H 2 : Gi 3 — > (0,1 } z+1 are two hash functions, where z is the 
bit length of message m. In order to get adaptive outputs, they 
defined a special function f(P), When P=0, f(P)=0, else 
f(P)=l, where Pe Gi is a user’s public key. O e G| is the zero 
element. 


36 


www.erpublication.org 


International Journal of Engineering and Technical Research (IJETR) 
ISSN: 2321-0869 (O) 2454-4698 (P), Volume-3, Issue-11, November 2015 


Keygen: It takes the secure parameter k and user’s identities 
to produce keys. For the sender S, his key pairs are (x s ,Y s ) <— 
Gen(S,l k ), where x s e r Z q and Y s = x s P e Gi. For the receiver 
R ; , (i = l,..,n), his pair keys are (xr^Yr,) <— Gen(R,l k ), where 
XRi e r Z q and Y Ri = x Ri P 6 Gj. If S e (j), (0,0) «- Gen(S,l k ), If 
R, e (j), (0,0) «- Gen(R i; l k ). 

GSC: To signcrypt message vector M = jm, | m, e{0,1 } z , i = 
l,..,n}, S performs the following operations: 

a) Picks a random coin r e R Z q and computes the 

commitment U=rPe Gi. 

b) For i = l,..,n 

i. Computes Vi = x s Hi(mi,rY R i) e Gi. 

ii. Computes Z, = ( mi || V,) © (H 2 (U, Y R| , 

rY R ;)f(Y Ri )) e {0,1} Z+1 . 

EndFor 

c) The ciphertext vector is given by a = (U, Zi,.... Z n ) 

which is sent to the group via a broadcast channel. 

DGSC: When receiving a, the receiver R n gets his 
signcryption text o, = (U,Zj) and performs the following steps: 

a) Computes H 2 (U, Y R , x Rl U). 

b) Computes (m, || V,) = Z, 0 (H 2 (U, Y Ri , x Ri U)f(Y Ri )). 

c) If Vi = O, returns the message m n else computes h, = 

H 2 (mi, x Rl U) e Gi and then checks if 
e(Y$,hi)=e(P,Vi). If this condition does not hold, 
rejects the ciphertext. 

Correctness: If a, = (U,Zj) is a valid signcryption text, it is 
easy to see that x Rl U = r Y R| = x Rl r P and (mi|| Vj) is 
decrypted correctly. Thus e(P, Vi) = e(P,x s hi) = e(x s P, hj) 
= e(Y s , hj) holds. 

Pure Signcryption Mode: If the sender and all of the receivers 
are determined, it runs in this mode. Now, x s ?0 and 
f(Y R j)=l ,(i = l,..,n), the ciphertext vector a = (U, Zi,..., Z n ) is 
a signcryption ciphertext vector, the GSC and DGSC 
algorithm are same as above. 

Pure Encryption Mode: If the sender is vacant and all of the 
receivers are determined, it runs in this mode. Now, x s =0 and 
f(Y Ri )=l,(i = l,..,n), so, Vi=x s H 1 (m i , r Y R| ) = O, Z, = (m, || O) 
© H 2 (U, Y Ri , rY Ri ), the ciphertext vector a = (U, Zi,..., Z n ) is a 
encryption ciphertext vector, message m, can be recovered by 
(mill O) = Zi© H 2 (U, YRi, XRi U). 

Pure Signature Mode: If all of the receivers are vacant and the 
sender is determined, it runs in this mode. Now, x s ^0 and 
f(Y Ri )=0, (i = l,..,n), so, V; = x s Hi(mi, O) , Z, = (in, || V,) © 
(H 2 (U, YRi, rYRi) f(YRi)) = mi|| V„ the ciphertext vector a =* 
(U, Z|,..., Z n ) is a signature vector, the signature can be 
verified by checking e(Y s , Hi(mi, 0))=e(P, Vi). 

Hybrid Signcryption Mode: If some of the receivers are 
vacant, and the rest of the receivers and senders are 
determined, the scheme runs in this mode. For the determined 
receivers, x s #) and f(YRi)=l, the ciphertext vector a = (U, Z ; ) 
is a signcryption ciphertext vector, and the procedure is the 
same as pure signcryption mode and for the vacant receivers, 
x s #0 and f(YRi)=0, the ciphertext vector a = (U, Z;) is a 


signature vector, and the procedure is the same as pure 
signature mode. 

Hybrid Encryption Mode: If some of the receivers and 
senders are vacant, it runs in this mode. For the determined 
receivers, x s = 0 and f(YRi) = 1, the ciphertext vector a = (U, 
Z ; ) is a encryption ciphertext vector, and the procedure is the 
same as pure encryption mode and for the vacant receivers, x s 
= 0 and f(YRi) = 0, the ciphertext vector a = (U, Z ; ) is a 
planetext vector, it takes no secure policy. 

The five modes are transparent to applications , namely, the 
algorithm can produce the specific outputs according to the 
inputs of identities of the sender and the receivers adaptively. 
Applications need not care about which mode should be 
taken. 


IV. An Improved Multi-receiver Generalized 
Signcryption Scheme 

GSC: To signcrypt message vector M = {m, | m, e{0,l } z , i = 
l,..,n}, S performs the following operations: 

a) Computes f(Y s ), f(Y Ri ),i=l,..,n. 

b) Picks a random coin r e r Z q and computes the 

commitment U = rP 6 Gi. 

c) For i = l,..,n 

i. Computes H, = Hi(mi,rYRi) e G R V; = x s H ; 

ii. If f(Y s )=0, Computes Z, = ( mi |j H,) © (H 2 (U, 

YR i ,rY Ri )f(Y Ri ))E {0,1} Z+1 , 

else computes Z; = ( mi |j V,) © (H 2 (U, Y Ri , 

rY Ri )f(YRi)) e {0,1 } z+1 ; 

EndFor 

d) The ciphertext vector is given by a = (U, Zi,.... Z n ) 

which is sent to the group via a broadcast channel. 
DGSC: When receiving a, the receiver R ; gets his 
signcryption text cs; = (U, Z,) and performs the following 
steps: 

a) Computes f(Y s ), f(YRi),iE[l,n], 

b) If f(Y s ) = 0, Computes ( mi || H,) = Z, © (H 2 (U, YRi, 

XRiU)f(YRi)),else computes (mi|| V,) = Z, © (H 2 (U, 

YRi, XRiU)f(Y Ri )). 

c) Computes h, = Hi (mi, XRiU) e G, 

d) If f(Y s ) = 0, checks if H, = h,; if this condition does not 

hold, rejects the ciphertext; relse return m,; else 

checks if e(Y s ,hi) = e(P,V,), if this condition does not 

hold, reject the ciphertext; else return m,. 

V. Performance Analysis 
S ince computation time and ciphertext size are two 
important factors affecting the efficiency, we present the 
comparison with respect to them. It is obvious that improved 
scheme does not add any extra computation costs and the 
ciphertext size is the same as the original one, meaning they 
have the same efficiency, but the original one is not secure 
while improved is. The authors of the original schemes 
compared their scheme with other multi-receiver signcryption 
schemes including Duan et al’s multi-receiver signcryption 
[33], Yu et al’s signcryption [38], Li et al’s identity based 
broadcast signcryption [39] and Boyens 
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multipurpose identity-based signcryption [40]. They 
considered the costly operations including pairing evaluation 
(Pairing), modular exponentiation (Exp), and modular 
inverse(Inv). Though the comparison, they concluded their 
scheme is the most efficient one. There our improved scheme 
is the most efficient one too. Now, we give the comparison in 
above table, which shows that the computation time and 
ciphertext size of improved scheme are both the shortest like 
the original scheme’s. 


VI. Conclusion 

Generalized signcryption scheme can adaptively work as 
an encryption scheme, a signature scheme or a signcryption 
scheme with only one algorithm and one key pair, thus it can 
realize using one keypair in three different cryptographic 
primitives. It is very suitable for storage-constrained 
environments. By using the randomness reuse technology, 
Han et al. proposed a multi-receiver GSC scheme, and used it 
for secure multicast in wireless network. Its main merits are to 
reduce overheads efficiently and avoid rekeying when 
membership changes. In this paper, we show that Han et al’s 
multi-receiver GSC scheme is not secure in the pure 
encryption mode and hybrid encryption mode and an 
adversary can modify the challenge ciphertext and then can 
get the plaintext. To remedy this security flaw, an 
improvement of this scheme is given, which is more secure 
than the original one while still maintaining its efficiency. 
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